Skip to main content
Robin_Svanberg
Robin_Svanberg
New Member
October 12, 2015
Solved

FortiManager 5.2.4 and LDAP groups not working

  • October 12, 2015
  • 1 reply
  • 17520 views

Trying to configure LDAP for a FortiManager 5.2.4 but can´t get it working.

 

Configured a ldap server with the group that they should be a member of, but when I apply it users of that group can´t login.

 

[ul]
  • Is there any equivalent to the Fortigate diag test auth ldap ?
  • Is there any logs to check? (Eventlog only says "User 'xxxx' login failed from GUI(10.241.241.2), reason:Authentication failure. Please try again...")
  • Anything that you can see that´s not configured properly in the configuration below?[/ul]

     

    Configuration below

    config system admin ldap edit "ldaps_domain" set server "dc1" set secondary-server "dc2" set cnid "cn" set dn "DC=domain,DC=tld" set port 636 set type regular set username "CN=sausername,OU=Service Accounts,OU=Internal IT,OU=ROOT,DC=domain,DC=tld" set password ENC ******* set group "CN=sg_FortiManagerAdministrators,OU=Groups,OU=ROOT,DC=domain,DC=tld" set secure ldaps set ca-cert "CA_Cert_1" set adom "all_adoms" next end

    • Best answer by Carl_Wallmark

    Robin,

     

    I tried it on my own FortiManager and I have it working:

     

    name                : Server01

    server              : 1.1.1.1 secondary-server    : (null) tertiary-server     : (null) cnid                : samAccountName dn                  : DC=company,DC=org port                : 389 type                : regular username            : sa@company.org password            : * group               : CN=ADM Accounts,OU=Security Groups,OU=Administration,DC=company,DC=org filter              : (&(objectcategory=group)(member=*)) attributes          : member secure              : disable connect-timeout     : 500

     

    Then create a new user and check the "Wildcard" and chose LDAP and your server.

    Notice that I have changed the filter according to:

    http://kb.fortinet.com/kb...=8412764&stateId=0 0 73082795

     

    1 reply

    Carl_Wallmark
    Carl_Wallmark
    New Member
    October 13, 2015

    Hi Robin,

     

    What are your users using as login name ? I see that you have choosen the standard "cn" in cnid.

    Try to change to "sAMAccountName" which is the username in Windows.

    Robin_Svanberg
    Robin_SvanbergAuthor
    New Member
    October 13, 2015
    Hi, Normally use sAMAccountName so tried with cn just in case :) If I remove the group within ldap server config, auth works.
    Carl_Wallmark
    Carl_WallmarkAnswer
    New Member
    October 13, 2015

    Robin,

     

    I tried it on my own FortiManager and I have it working:

     

    name                : Server01

    server              : 1.1.1.1 secondary-server    : (null) tertiary-server     : (null) cnid                : samAccountName dn                  : DC=company,DC=org port                : 389 type                : regular username            : sa@company.org password            : * group               : CN=ADM Accounts,OU=Security Groups,OU=Administration,DC=company,DC=org filter              : (&(objectcategory=group)(member=*)) attributes          : member secure              : disable connect-timeout     : 500

     

    Then create a new user and check the "Wildcard" and chose LDAP and your server.

    Notice that I have changed the filter according to:

    http://kb.fortinet.com/kb...=8412764&stateId=0 0 73082795

     

    Terms & ConditionsAccessibility statement